New facets of cyber threats unfold in India at a time when financial transactions and personal identifications are increasingly becoming digitised. The ongoing stocking of data to the cloud, increasing use of virtualisation, Artificial Intelligence (AI), Internet of Things (IoT) and blockchain are disrupting the risk environment across Indian organisations, says Sandeep Gupta, Managing Director, Technology Consulting, Protiviti India Member Firm. Key cyber risks that the corporate India faces today are data theft, cyber extortion, disruption of services, unauthorised money transfers, IoT and AI-driven attacks, he adds. Besides, cyber security segment opens up new job opportunities in the country. Edited excerpts:
What are the latest trends in global cyber security and IT privacy?
The situation in India largely echoes the challenges in global arena. We see IT audit functions continue to grapple with resourcing, staffing and skill needs. The threat landscape is evolving constantly. The cybercriminals are getting more sophisticated, while the regulations are slowly catching up. There are persistent gaps and process breakdowns in the ongoing transformation projects.
Protiviti & IT governance institution ISACA have recently come up with a survey on IT Audit. According to the survey, IT security and privacy are the top technology challenges faced by organisations across the world. Data management and governance are other challenging areas. The migration of data and processes to the cloud, virtualisation, use of AI and Robotic Process Automation (RPA), and other innovations are changing the risk and control environment in the country. It is crucial for IT auditors to be aware of these changes and enable management with proper control and compliance practices. These teams must have an agile, 'next-gen' mindset and approach.
Indian organisations are working towards improving controls to address the issues. According to a Gartner research, Enterprise Information Security spending by segment in India will grow from $1.53 billion in 2017 to $2.1 billion in 2020. Maximum spending of this will come from security services, which will grow from $809 million in 2017 to $1069 million in 2020.
What are the top cyber threats that the country needs to watch out for today?
Rapid digitisation and changing technology trends such as increased use of cloud services, IoT, inception of blockchain and shadow IT are bringing new cyber risks to the organisations.
A single cybersecurity incident can significantly disrupt operations and it can result in loss of revenues, leading to long-term financial damage, regulatory and legal actions. It can damage reputation of organisations and harm the confidence of its customers.
Key cyber risks that the corporate India is facing are mainly around data/IP theft, cyber extortion, disruption of services and un-authorised money transfers. These are carried out using social engineering, advanced malware, ransomware, application layer attacks, communication hacks, and spear-phishing. The cyber attackers are professional hackers, state-sponsored hacking groups and malicious insiders.
Third-party cyber risk is also a growing area of concern. The partners and vendors pose a huge risk to corporations, the majority of which have no secure system or dedicated team in place. There is increased data sharing with suppliers and partners and more integrated supply chains.
With cloud adoption, Bring your own Device (BYoD) and increasing use of cloud service providers, hackers have plenty of attack vectors to choose from. The challenge that organisations face today is to secure both on-premise and off-premise (cloud) assets. The organisations need to have an all-inclusive prevention, detection, response and cyber resilience framework in place. Also, they need to continuously conduct customer awareness programmes to manage these threats effectively.
What are the emerging threats that you think would reach an alarming level in the next three-four years?
In the ever evolving cyber threat landscape, the key issues would be IoT, AI and Machine Learning (ML) driven attacks. The IoT driven attacks will be through course routers, webcams, household appliances, smart watches, manufacturing equipment, automobiles, medical appliances and even home security systems. The attackers use AI and ML to enhance the sophistication in their activities. With these tools, attacks can be cascaded and cybercrime can reach all-new heights. The cyber crime will be a major threat not just for the private sector and for individuals but for the government and the nation as a whole. The attacks target key businesses that hold valuable data of the state. Some of the attacks could be sponsored by rival states.
What are the emerging career trends in the cybersecurity space? Is the country able to produce enough talent to meet the industry demand?
According to the results of Protiviti's 2019 Internal Audit Capabilities and Needs Survey, most of the internal audit and cybersecurity groups lack skills to make use of the next-gen practices such as Ml and AI, continuous monitoring, agile auditing, process mining, and advanced analytics. High-value skills such as secure software development, cloud security and intrusion detection are in critical short supply. These skills are in great demand and we see the demand continuing. The curriculum for Indian universities should keep pace with the evolving threat landscape. India also has a unique opportunity of exporting security services across the globe.